Is it worth to Jailbreak an iPhone?
Updated: 2019–12–25 added iCloud welcome screen bypass.
My iPhone 6 can’t be upgraded to the latest version of iOS and it’s vulnerable to “permanent unpatchable bootrom exploit” that affects Apple devices from the iPhone 4s to iPhone X. As the author described [1]. Yes, it is permanent and unpachable, although it is semi-tethered meaning you have root until next phone restart. How it works according to the author it utilizes a flaw in race conditions to exploit the operating system and get the highest privileges. [2][6]. This looks less dangerous exploiting with a “Checkra1n” application [3] over flashing the phone with custom firmware :)
This test was done on macOS Catalina. By far Checkra1n is available only on macOS.
First steps just to introducing and preparing your phone into recovery mode.
You will need to enter to DFU mode, once you ready then press Start and Home button at the same time. After 3 seconds need to release power button and keep holding the Home button.
Jail break is in progress.
After using a path your iPhone will have a checkra1n application. Use it to install Cydia which is another way to install applications from other repositories. It could be with GUI or in terminal only. And yes, you can compile your own, but you have to have the environmental with “Toolchain”.
Togerther with Cydia there is an openSSH server preinstalled. I just need to type a command in terminal (need to be in same local network and to know the IP address).
ssh root@192.168.88.12
Login default password is alpine. After successful login, change it.
Bypass iCloud Welcome Screen
Actually it’s not bypassing iCloud security it’s just to bypass welcome screen, then you turn on the phone. I am doing on my device. Not recommend doing on others.
Prerequisites: brew [4] it is an alternative package manager only in cli. It will require to accept the apple developer license. Please follow the instructions.
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
And usbmuxd it’s an iproxy application source code [5].
brew install usbmuxd
Open a new terminal window and run iproxy on
iproxy 2222 44
Open one more terminal and ssh to localhost
ssh root@localhost -p 2222
Default Password is alpine
then use commands below:
mount -o rw,union,update /
# Then rename the Setup.app folder
mv /Applications/Setup.app /Applications/Setup.app.bak
# Then run uicache and respring
uicache -a && killall -9 SpringBoard
Conclusion, yes it does worth to exploit if you like explore thing and have phone like mine. Backups are the best friends :)
Checkra1n won’t unlock iPhone from iCloud security. Although could be a workaround how to bypass it.
The latest iPhones like Xs,11 Pro and etc are not affected to this vulnerability.
I will test on my own iPhone. Not sure if it would be bad or good for real owners of the iPhone. Let’s leave it for open discussion.
Reference:
#1 https://github.com/axi0mX/ipwndfu
#2 https://twitter.com/axi0mX/status/1177544174163263489
#3 https://checkra.in
#4 https://brew.sh
#5 https://github.com/libimobiledevice/usbmuxd
#6 https://www.kb.cert.org/vuls/id/941987/